Governments issue alerts after 'sophisticated' state-backed actor found exploiting flaws in Cisco security boxes
Don't get too comfortable: 'Line Dancer' malware may be targeting other vendors, too
A previously unknown and "sophisticated" nation-state group compromised Cisco firewalls as early as November 2023 for espionage purposes — and possibly attacked network devices made by other vendors including Microsoft, according to warnings from the networking giant and three Western governments.
These cyber-spy campaigns, dubbed “ArcaneDoor” by Cisco, were first spotted in early January and revealed on Wednesday. And they targeted VPN services used by governments and critical infrastructure networks around the globe, according to a joint advisory issued by the Canadian Centre for Cyber Security (Cyber Centre), the Australian Signals Directorate's Cyber Security Centre, and the UK's National Cyber Security Centre (NCSC).
A Cisco spokesperson declined to comment on which country the snooping crew - tracked as UAT4356 by Talos and as STORM-1849 by Microsoft - is affiliated with. The disclosures, however, come as both Russian and China-backed hacking groups have been found burrowing into critical infrastructure systems and government agencies, with China specifically targeting Cisco gear.
The mysterious nation-state group "utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor," according to a Talos report published today.
The attacks exploit two vulnerabilities, CVE-2024-20353 and CVE-2024-20359, in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices, and the networking giant issued fixes for both on Wednesday, plus a fix for a related flaw.
CVE-2024-20353 is a high-severity vulnerability in the management and VPN web servers for Cisco ASA and FTD devices, and could allow an unauthenticated, remote attacker to cause the machines to reload unexpectedly, resulting in a denial of service (DoS) attack. It received an 8.6 CVSS rating.
Two other flaws, CVE-2024-20359 and CVE-2024-20358 received a 6.0 CVSS score, and could allow an authenticated local attacker to execute arbitrary code with root-level privileges. Exploiting either, however, requires administrator-level privileges.
Cisco says it hasn't yet identified the initial attack vector that the intruders "used to implant custom malware and execute commands across a small set of customers."
A Cisco spokesperson also declined to specify how many customers were compromised in these attacks — or answer any of The Register's questions about the break-ins — and sent us this statement via email:
During the resolution of a Cisco customer support case, we discovered three previously unknown vulnerabilities impacting devices running Cisco Adaptive Security Appliances (ASA) or Cisco Firepower Threat Defense (FTD) software. We published security advisories for customers with software updates and other guidance to keep them safe. We strongly urge customers to take immediate action as outlined in the advisories and in this blog by Cisco Talos, our cyber threat intelligence organization.
Talos also stated that network telemetry and intel gleaned from partners "indicate the actor is interested in — and potentially attacking — network devices from Microsoft and other vendors."
Microsoft didn't respond to The Register's inquiries about this, but we will update this story if and when we hear back from Redmond. We’re keen to hear what the company has to say as it’s not a noted vendor of networking hardware – other than virtual appliances for its Azure cloud. If they’re under attack, that’s nasty.
- Kremlin's Sandworm blamed for cyberattacks on US, European water utilities
- US says China's Volt Typhoon is readying destructive cyberattacks
- FBI confirms it issued remote kill command to blow out Volt Typhoon's botnet
- Fire in the Cisco! Networking giant's Duo MFA message logs stolen in phish attack
After compromising victims' devices, the miscreants drop a couple of malware implants.
The first, called Line Dancer, is an in-memory implant used to upload and execute arbitrary shellcode payloads. Talos spotted this shellcode loader being used to disable syslog, run and exfiltrate the command show configuration, execute CLI commands, and initiate the hook and crash dump process. This forces devices to reboot, skipping the crash dump process and thus evading forensic analysis.
Line Dancer can also trick the AAA (Authentication, Authorization and Accounting) function into allowing the attacker to connect using a magic number authentication capability to establish a remote access VPN tunnel.
The second custom malware, Line Runner, is a persistent web shell that allows the intruders to stay on the compromised network, uploading and executing arbitrary Lua scripts.
The US Cybersecurity and Infrastructure Security Agency (CISA) also weighed in on the bugs under exploit and posted advice in which it "strongly encourages users and administrators to apply the necessary updates, hunt for any malicious activity, report positive findings to CISA," and review Cisco's advisories about the vulnerabilities.
"In addition to the alert we have not confirmed evidence of this activity affecting US government networks at this time," as CISA spokesperson told The Register. ®